Why all websites need a privacy policy and how to create one

Privacy policy. The term conjures up images of grayed-out, minuscule links at the bottom of web-pages. Though often ignored, this legal document is easily one of the most important texts on a website.

Together with Terms of Service documents, acquiring user consent andCookie Policy/Cookie Law, it's a key component of what should be a 360° approach to making your e-commerce website compliant to both national and international regulations.

With this in mind, iubenda and 3dcart are hosting a webinar on Tuesday, March 13th, 2018 on How to easily make your website/app compliant with US law. To register, click here.

This article has been provided by iubenda to helps businesses (from small to enterprise) craft privacy policies and other legal documents for their websites and apps.

With that said, what exactly is a Privacy Policy and what does it do?

A privacy policy is a legal document that discloses the ways in which a website collects, processes, stores, shares and protects user data, the purposes for doing so and the rights of the users in that regard.

All websites interact with and collect data about their visitors in one way or another. This is even more applicable in the case of an e-commerce store. E-commerce sites typically collect personal data like names, email address, IP addresses, session activity and payment details, to name a few. For this reason, a privacy policy is vital as it protects website owners and customers alike, while also ensuring that your website complies with legal obligations.

But do I NEED a Privacy Policy?

At this point, it’s clear that a privacy policy is pretty important. As stated earlier, ALL websites interact with user data in some way. This means that if you have a website and you intendto have people visit that website, then it’s mandatory that you include a privacy policy. The law requires you to inform users about what data you collect, how it’s used, stored and protected. As a matter of fact, under the new EU GDPR legislation (enforceable starting from May 2018), it’s also necessary that your privacy policy inform users of their rights in regards to their data. The disclosures should be transparent, easily understandable, comprehensive and up-to-date. Failure to meet regulatory requirements can result in hefty fines (Article 83). These regulations apply to all organizations (including non-profits) that access data or offer goods or services to people in the EU. The GDPR applies whether your organization is located in the EU or not.

Not only is a privacy policy crucial to ensuring that legal requirements are met and customer trust is maintained, but many third-party apps and services require it. One example is Google. In order to access certain services and tools (for example, AdSense, Google Analytics, etc.), Google requires that you have a comprehensive and up-to-date privacy policy in place on your website.

“You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect traffic data, and You must not circumvent any privacy features (e.g., an opt-out) that are part of the Service.”

What are the Legal Requirements?

Most countries have data protection and privacy legislation that require businesses to have a privacy policy in place, but some global regions and states have stricter laws than others.

The United States, for example, doesn’t have a federal law that designates country-wide rules regarding privacy policies, however, some states have their own regulations in place. Occurrences like handling the data of minors, using third-party processors and cookie consent often have their own special rules as well. The fact is, you need to follow the laws of the regions where you do business or aim your services to.

We’ll take a look at the most basic, intermediate and robust privacy policy requirements below:

At its most basic, your privacy policy should include the following:

Site / app owner details.

Disclosures related to third-party access to the data.

What data is being collected, how and why.

Disclosure of your process for notifying users of changes/ updates to your policy.

Effective date of policy.

It’s important to note that something this basic would only apply to local businesses that SOLELY sell to and processes data from local users, and even then, the policy will still be subject to state laws which might require you to include or disclose additional details.

It's worth highlighting that simply adhering to requirements this basic can be hugely problematic as they may not meet the requirements of third-parties and in some cases can even leave you open to potential lawsuits or fines. Instead, it's advisable to start with the strictest regulations in mind and remove clauses where they aren’t applicable.

The California Online Privacy Protection Act (CalOPPA) of 2003 is a good example of Intermediate- level regulation. Under this act, all commercial Websites that collect Personally Identifiable Information (PPI) of California residents must post on their website a clearly visible privacy policy that complies with the regulatory requirements. Personally Identifiable information here is defined as “individually identifiable information about an individual consumer” and includes a consumer’s first and last name, home or other physical address, email address, telephone number, and Social Security number. CalOPPA applies as long as the website is accessible by California residents (web server location and the location of the actual business does not matter).

Within the scope of CalOPPA, in addition to the basic requirements above, your privacy policy should include the following:

The process by which users can review and edit their Personally Identifiable Information (if any such process exists).

Disclosure related to how you handle the “Do Not Track” requests of users.

A list of categories of personally identifiable information collected.

Also included in the Act are rules on special care regarding children. If your products or services also target children you must comply with the Children’s Online Privacy Protection Act (COPPA), which requires that operators of websites or online services that are either directed to children under 13, or which have actual knowledge that they are collecting personal information from children under 13: must give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information and must keep secure the information they collect from children.

The General Data Protection Regulation (GDPR) is an excellent example of a very robust data protection legislation. At its most basic, it specifies how user data should be collected, used, protected or interacted with in general. As the biggest change to data protection in the region in 20 years, it's intended to bolster and centralize personal data protection for all EU residents. Personal data within the context of the GDPR refers to any data that relates to an identified or identifiable living person. This includes pieces of information that, when collected together, can lead to the identification of a person. As mentioned earlier in this post, there are pretty hefty fines for noncompliance, so it's important to be ready.

Within the scope of the GDPR, your privacy policy should also include the following:

Disclosures related to any data processors if different from the site owner. This includes all parties having access to or involved in processing user data. These include 3rd party apps, widgets, social buttons, ad service integrations etc.

Rights of users: Under the new EU regulations, it's mandatory users be able to request, view, transfer and erase their data (where some conditions are met) * Note, these regulations are applicable to ALL business (including non-profits), regardless of location, that accesses data or offers goods or services to people in the EU.

Other related requirements are

The link (to the privacy policy) should be clear and prominent

It should be easily accessible

Your policy may not use overly complicated or indecipherable language (no legalese and unnecessary jargon).

The GDPR applies to all organizations (including non-profits) that accesses the data of EU residents. The GDPR applies whether your organisation is located in the EU or not. This effectively covers almost all companies (including US based ones). As a matter of fact, a PwC survey showed that GDPR is a top data protection priority for up to 92 percent of U.S. companies surveyed.

It's necessary to highlight here that under some legislations (in particular EU regulations), a privacy policy alone is not enough to fully comply. EU regulations explicitly state that you must acquire active and verifiable consent from users BEFORE collecting their personal data. Consent requires a positive opt-in. You shouldn't use pre-ticked boxes or similar methods of default consent. The Cookie consent requirement can be met by using the iubenda cookiesolution.

So how do I create a Privacy Policy?

You can create a privacy policy using any one of the following methods:

DIY using a free template. Though somewhat risky and inadvisable, it is possible for you to attempt to write your own privacy policy using the above information on legal requirements as a starting point (ideally you should research the applicable laws yourself); you should be able to find a basic template online that you can tweak to include the various clauses that apply to your specific business. Keep in mind that with this method there is no real guarantee that you're meeting requirements or that the information is stated correctly. The other drawback of using this method is that all language modifications and policy updates will have to be done manually as needed.

Hiring a lawyer. If you can afford it, this is a good option as it ensures that you have access to a professionally contracted and personalized policy. You'd want to make sure that you find a lawyer with experience in international data protection law and check that the person being hired is up-to-date with requirements. Important aspects to consider when using this method are upfront AND ongoing costs. Fees for hiring a lawyer can be substantial and you may incur additional costs for translations and updates to the policy.

Using an online generator. This option is particularly interesting in that its usefulness heavily depends on the quality of the generator being used. Many online generators simply regurgitate the same generic clauses easily found in online templates, leaving you open to the same risks mentioned above. I would say that the key when using a generator, is to find a service that offers custom options backed by verifiable legal expertise.

*This is where iubenda can help. It's affordable, available in several languages, lawyer crafted, customizable and self-updating. There's even a free limited version available to try out so that you can have an in-depth look at what it offers. We believe that it's the next best thing to actually hiring a lawyer as it's prepared by our lawyers in accordance with the strictest international legislation. Furthermore, together with our Cookie Solution and Terms and Conditions generator, we aim to facilitate overall regulatory compliance by providing a 360° solution for your website or app.

Now that I've created my privacy policy, how do I integrate it into my website?

If you wrote the policy yourself or had it drafted externally by a lawyer, you will need to create a page on your website, then copy the policy to it. If using a CMS, you'll need to go to the backend dashboard and select the option to create a new page, paste the policy, edit the page title and publish the page.

You'll then need to head to your main or footer menu and add the new page as a clearly visible text link (you can also add a button, but the process is a bit more complicated). In order to meet requirements, you'll need to make sure that the link is visible on every page.

Alternately, if you used a generator, you will most likely have various options to export a snippet of code. After exporting, you will then need to copy and paste the code into your website either via a text widget or by enabling your Global Footer and adding the code snippet to it. The process may be similar to the one found here.

If you used the iubenda generator, you can easily install either:

A button with a modal window

A direct link (for App Stores for example)

A direct embed that shows your privacy policy as a part of your website

It's a pretty straightforward process as the iubenda generator takes care of most of the hard work for you. You simply copy and paste into your site; the policy will be visible on every page and you even have customization options to ensure that the look matches your branding. If you need any assistance along the way, there are video tutorials and a pretty responsive customer service team available to help. You can find out more about iubenda's integration process here.

Key takeaways:

Privacy policies are in most cases, required by law.

When preparing your privacy policy, you need to follow the laws of the regions where you do business or aim your services to (even if your business is not located in the region).

Non-compliance with regional regulations can lead to serious repercussions (including hefty fines).

When creating your privacy policy, it's advisable to start with the strictest regulations in mind and remove clauses where they aren’t applicable.

While it's entirely possible to DIY a privacy policy from template, it's deeply inadvisable as there is no real guarantee that you're meeting legal requirements or that the information is stated correctly. The best options for creating a privacy policy are personally hiring a lawyer or using a quality privacy policy generator service that offers custom options backed by verifiable legal expertise. When choosing a method, it's also useful to consider both short-term and long-term costs in terms of updates and language requirements.

Website integration mostly depends on the method chosen for creating the policy, however, in most cases it involves placing a code snippet into your website that links to the policy. The link (or button) should be clear, prominent and accessible from every page of your website.

Overall a privacy policy is a vital part of any website's legal framework and shouldn't be underestimated. A clear, compliant, easily accessible privacy policy is not only necessary to protect you as an e-commerce company, but it's also a key indicator of credibility, trust and your dedication to protecting your customers.

Want to learn more? Join iubenda on Tuesday, March 13th, 2018 for a Webinar on How to easily make your website/app compliant with US law. To join the Webinar, click here.